Outlook在中国遭中间人攻击

网络监测组织GreatFire于1月17日收到了报告,指微软电邮系统outlook在中国遭中间人攻击(MITM)。此次攻击针对通过移动设备上的邮件客户端收发outlook邮件的人士。该组织怀疑,此次攻击是审查部门在测试防火墙技术。

当中国用户通过电子邮件客户端(Ice-dove)进入outlook时,可看到以下证书:

Greatfire的测试证实了outlook确实遭到攻击:IMAP(交互邮件访问协议)与SMTP(简单邮件传输协议)都遭受了中间人攻击。但网站界面(https://outlook.com 和 https://login.live.com/)没有受到影响。这次攻击持续了大约一天,现在已经停止。

这种形式的攻击尤其狡猾:相比于通过浏览器,用户通过电子邮件客户端所接收到的警告非常不明显,更容易被忽略。如下图:

(从iphone默认电邮客户端接收到的错误样本)

当客户端试图自动检索信息时,用户只能看见一个突然弹出的警告。因为用户没有主动检索信息,大多数的用户在点击“继续”之前不会细想,却忽视了警告信息、或把警告信息归咎于网络连线的故障。如果用户真的点击了“继续”,他(她)所有的邮件、通讯录、密码都会被黑客所窃取。

这次黑客攻击发生在Gmail被封锁之后的一个月之内(Gmail到现在仍然处于完全无法使用状态)。由于这次中间人攻击与之前对谷歌、苹果、雅虎等的攻击存在诸多相似之处,Greatfire再次怀疑,中国国家互联网信息办公室精心策划了这次袭击,或者有意允许袭击发生。这就意味着中国当局有意进一步打击他们无法容易监控的通信手段

至截稿为止,微软公司尚未对此事作出回应。

三个月前,针对苹果iCloud储存服务的中间人攻击促使苹果总裁库克亲自到中国与当局交涉。中国外交部新闻发言人随后否认了攻击,苹果也从未公开与中方的交涉结果。苹果后来创建了一个“中文帮助页面”来处理相似的问题,并将其称为“有组织的网络攻击”(organized network attacks)。

在苹果被攻击的同时,谷歌和雅虎也有经历类似的中间人攻击,微软outlook的网页版也曾在短时间内受攻击。当局似乎是在测试他们的中间人攻击技术,并搜集用户反应。通过追踪有多少用户忽视了警告信息,当局可以评估这类攻击的有效性。

GreatFire强烈建议用户,千万不要绕过证书提示的“错误信息”去点击“继续”

 

呼吁停止信任CNNIC证书

GreatFire怀疑国家网信办对此次黑客攻击outlook、以及其他几起类似的攻击负有直接责任。由于中国互联网信息中心(CNNIC)的直接主管部门是国家网信办,它所认证的安全证书也因此不值得信任。

GreatFire再次呼吁互联网公司和相关组织,包括微软和苹果,立即停止将CNNIC作为认证机构(certification authority)的信任

- CNNIC的证书有什么作用?

它可以用于初步地识别个人或设备的身份、鉴定服务、加密文件。

什么是认证机构(certification authority: CA)?

认证机构是颁发证书的机构。他们建立和验证了公共密钥的鉴定系统,以及核实请求密钥的个人或组织的身份。

 

Technical Details

IMAP/SMTP are commonly used on mobile email clients (e.g the default mail application on iPhones) and desktop email clients like Thunderbird. Internet Message Access Protocol (IMAP) is a protocol which allows users to connect to the same mailbox through multiple devices (i.e. your desktop, mobile, etc.). Simple Mail Transfer Protocol (SMTP) is typically used by users to send messages to a server which are then relayed to the recipient.

Wikipedia defines a man-in-the-middle (MITM) attack in the following way:

The man-in-the-middle attack...is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

测试

为了在火狐浏览器中复制以上结果,我们首先在火狐中设置允许接入端口993,这也是IMAP所使用的端口。然后,我们登入https://imap-mail.outlook.com:993,立刻收到了警告信息。正如你在下图所看到的那样,这份证书是自我签名的(self-signed)。

  outlook-MITM.png

下图可以看到Chrome中显示的证书错误。Chrome也被设置成允许通过端口993进行连接。

The fake certificate used in the attack:

https://github.com/chengr28/RevokeChinaCerts/blob/master/Windows/Certs/[Fake]AnyHotmailCom_201501.crt

WireCapture:

https://www.cloudshark.org/captures/8bf76336e67d

Reports:

https://www.v2ex.com/t/163062 and https://www.v2ex.com/t/163018.

 

评论

更多博客文章

订阅 email
显示 博客 | Google+ | Twitter | 全部 的消息. 使用 RSS 订阅我们的博客。

星期四, 11月 30, 2017

关于在中国苹果商店被审查的那674个软件

苹果对中国区的审查行为敞开了大门 - 但这似乎只是冰山一角。

星期二, 5月 23, 2017

Is China establishing cyber sovereignty in the United States?

Last week Twitter came under attack from a DDoS attack orchestrated by the Chinese authorities. While such attacks are not uncommon for websites like Twitter, this one proved unusual. While the Chinese authorities use the Great Firewall to block harmful content from reaching its citizens, it now uses DDoS attacks to take down content that appears on websites beyond its borders. For the Chinese authorities, it is not simply good enough to “protect” the interests of Chinese citizens at home - in their view of cyber sovereignty, any content that might harm China’s interests must be removed, regardless of where the website is located.

And so last week the Chinese authorities determined that Twitter was the target. In particular, the authorities targeted the Twitter account for Guo Wengui (https://twitter.com/KwokMiles), the rebel billionaire who is slowly leaking information about corrupt Chinese government officials via his Twitter account and through his YouTube videos. Guo appeared to ramp up his whistle-blowing efforts last week and the Chinese authorities, in turn, ramped up theirs.

via https://twitter.com/KwokMiles/status/863689935798374401

星期一, 12月 12, 2016

China is the obstacle to Google’s plan to end internet censorship

It’s been three years since Eric Schmidt proclaimed that Google would chart a course to ending online censorship within ten years. Now is a great time to check on Google’s progress, reassess the landscape, benchmark Google’s efforts against others who share the same goal, postulate on the China strategy and offer suggestions on how they might effectively move forward.

flowers on google china plaque

Flowers left outside Google China’s headquarters after its announcement it might leave the country in 2010. Photo: Wikicommons.

What has Google accomplished since November 2013?

The first thing they have accomplished is an entire rebranding of both Google (now Alphabet) and Google Ideas (now Jigsaw). Throughout this blog post, reference is made to both new and old company names.

Google has started to develop two main tools which they believe can help in the fight against censorship. Jigsaw’s DDoS protection service, Project Shield, is effectively preventing censorship-inspired DDoS attacks and recently helped to repel an attack on Brian Krebs’ blog. The service is similar to other anti-DDoS services developed by internet freedom champions and for-profit services like Cloudflare.

星期四, 11月 24, 2016

Facebook: Please, not like this

Facebook is considering launching a censorship tool that would enable the world’s biggest social network to “enter” the China market. Sadly, nobody will be surprised by anything that Mark Zuckerberg decides to do in order to enter the China market. With such low expectations, Facebook is poised to usurp Apple as China’s favorite foreign intelligence gathering partner. If the company launches in China using this strategy they will also successfully erase any bargaining power that other media organizations may hold with the Chinese authorities.

星期二, 7月 05, 2016

GreatFire.org 现在开始测试VPN在中国的速度和稳定性

在中国有一个普遍观念,如果你有一个可以使用的VPN,那么你应该保持沉默。就信息自由而言,这种观念的问题在于获取知识竟成了一种秘密。今天,我们推出一个项目,希望能够摧毁这种模型。

我们最新的网站,翻墙中心,目的在于实时提供那些能够在中国使用的翻墙方案的信息和数据。在2011年以来我们就已经开始收集在中国被屏蔽的网站,现在我们也将增加那些可用的VPN和其他翻墙工具。

我们发布翻墙中心主要有四个目的。

我们的首要目标是助长使用翻墙工具的国人的数量。通过分享我们这些工具的信息和数据,我们希望对更广泛的受众展示那些工具时可以使用的。

我们的第二个目标是通过带来工具性能的透明化来提升中国用户的翻墙体验。我们将会测试工具的速度(流行网站的加载速度)和稳定性(流行网站加载成功的程度)。

我们开发速度测试的目的是要真实反映用户的体验。当用户在网站测速时,浏览器在后台会从10个世界上最流行的网站上下载一些资源文件。根据Alexa排名,这些网站分别是Google, Facebook, YouTube, Baidu, Amazon, Yahoo, Wikipedia, QQ, Twitter and Microsoft Live。速度的结果是简单的计算下载文件文件的大小和下载所需的时间。我们同样也会验证下载的文件是否完整。如果文件的内容是错误的或者在40秒内无法完成下载,我们会标记为失败。这个数据被我们用来生成另一个重要指标-稳定性。

其他的速度测试工具仅仅是通过发送数据到它们自己的服务器来测量上传和下载的速度。这种数据无法反应用户的体验,因为正常的浏览器通常会频繁的发送一系列的请求(而不是上传或下载一个大文件)到许多的服务器,而不止是一个。

我们的第二个指标 - 稳定性 - 是其他的服务通常不会测试的。一个健康的互联网连接应该达到100%的稳定性,除非有人在测试中把网线拔了。但是在中国使用翻墙工具却不是这样。任何时候连接都有可能变得不稳定或十分缓慢。根据请求的大小,最终的地点和代理的方式,一些请求有可能会失败。比较服务的稳定性要比比较速度更加重要。

你可以测试任意的翻墙工具,列表之外的也可以。中国的VPN用户也可以测试他们的工具,测试结果也会添加到数据库中。这些数据都将会对所有人开放。实时的在中国测试是非常重要的,因为VPN随时都可能被封锁或解封。我们欢迎任何的关于测试过程的反馈。有技术能力的用户也可以通过审查我们的javascript代码来获悉我们的测试是如何工作的。

我们郑重的邀请翻墙工具的开发者们向我们提供测试过程的反馈。我们的第三个目标是帮助这些开发人员改进他们的产品,让更多的选择适用于中国的顾客。此外,越多的工具可以工作,就意味着中国当局对翻墙的打击就会越难。

中国的用户都知道,在过去的18个月中当局加紧了对翻墙工具的攻击。而翻墙中心将会吹响反击的号角。反其道而行之,让这不再成为秘密。我们要鼓励人们分享翻墙工具可以工作的信息。

我们的第四个目标就是要为GreatFire.org创造收益。目前GreatFire仍然依靠世界各地的热心人士和组织的捐款。我们希望减少对这些机构的依赖,并探寻GreatFire.org自给自足的道路。用户只需到翻墙中心就能购买任意一款我们目前在测试的付费工具。GreatFire将作为这些工具在中国的经销商,因此VPN供应商会给予我们每个零售的一部分。用户也不必在中国购买这些翻墙服务。

使用 RSS 订阅我们的博客。

评论

Removing CNNIC root isn't practical, as it prevents the company from selling devices in China. Please make more practical recommendations. For example, only accept CNNIC-signed certificates for .CN domains. That would allow CNNIC to continue to exercise control over Chinese domains without jeopardizing the security of the entire Internet. (This is basically "TLD pinning" for root CAs.)

 Romantic Getaways: You can also plan a romantic holiday with
your loved one. It is really nice to see all these valentine's
day gift ideas for dogs, cause you two will be hollering with
love don't you know. This need not always be romantic love but any love.

Review my site: Propose Day SMS

After Daytona Beach Police Detectives finished their investigation of the incident, the scene was turned over to a site manager for Clean
Fuels National, who police emphasized was not at the
scene when the incident happened. It has emerged as one of the
best weekend destinations especially for families.
The last four or five years there's been more of a mix of INDYCAR drivers going over, which
is good for both series.

Also visit my web site ... daytona 500 live streaming

this post is awesome, great msg for us, plz update ur blog for daily basis, i am regular visitor of this site, so keep posting for us,

click the below links to create backlink
best free backlink website
click here for msg movie

thanks for this post, keep it up for updating us, i am waiting for ur new article.

thanks again
IPL8 live stream 2015

It’s certainly fresh to writing and seeing concepts which are truly helpful to get the direction

mothers day quotes
happy mothers day qutes 2015
happy mothers day 2015

Nice post to share
http://listacademyanik.com/

Nice post to share.
CLICK HERE>>
http://www.100kfactoryultraeditionreview.com/

----------------------------------------
There many errors that can hurt your PPC project without you even understanding it. For this factor, I wish to present to you the leading 5 factors your Pay Per Click project suffers online. look at part 1 of this article
----------------------------------------
CHECKOUT>>www.100kfactoryultraeditionreview.com

--------------------------------------------------------------------------------
http://listacademyanik.com/
============================================

Hey,

"Good website! I really love how it is easy on my eyes and the data are well written. I am wondering how I could be notified when a new post has been made. I have subscribed to your RSS feed which must do the trick! Have a nice day!"

======================
CLICK HERE>>http://listacademyanik.com/

======================

Hey ,
I would like to thank you for the efforts you have put in writing this website. I'm hoping the same high-grade web site post from you in the upcoming also. In fact your creative writing abilities has inspired me to get my own web site now. Actually the blogging is spreading its wings rapidly.

http://listacademyanik.com/dna-wealth-blueprint-3-0-review-bonus

good Study how to setup Kodi earlier known as noted as XBMC Kodi Download Linux, iOS, Windows, and Android. Moreover, Kodi App Android nice.

good The formal webpage of Droid4x packages a tiny method data file on Droid4x your laptop when you struck the ‘download&' button. nice.

good cannot send or receive messages or pictures utilizing it. snapchat sign in file from its web site and also run the installer as well as nice.

Download caller name announcer from callernameannouncer.uniqsofts.com to read al incoming notifications.

Thanks mate for share this nice post
obat pembesar penis klg: http://obatfrigid.com/obat-klg.html

Playstore in our android devices since long. Though Playstore is fairly aptoide apk you uninstall the app, simply click the apk once again and install

Game Guardian is an amazing game hack/alteration tool. Game guardian helps you modify money, HP, Sp and more aspects of the game.
game guardian apk

I definitely enjoyed every bit of it and I have you bookmarked to see new information on your blog.
my boy

A festival is an event ordinarily celebrated by a community and centering on some characteristic aspect of that community and its religion or traditions. It is often marked as a local or national holiday, mela, or eid.

http://festival-status.wallinside.com

For a lot of us looking to establish an online store, 'e-commerce' is where it all begins. When you find this phrase in articles and testimonials - it simply refers to the buying and selling of products on the internet.
To Get More Info>> https://www.7figurecyclereviewbonus.com/ << VISIT HERE

After reading the article I updated my knowledge regarding the same.
It really helped me a lot.
Thanks for sharing this with us.

https://www.kickstarter.com/profile/netgearsupport/about

At this rate, shouldn't China create their own operating system like what North Korea did? Everything is banned, it's so annoying for tourists. Thank you for sharing the news! I want to visit China some day but with this policy, I can't receive email from work when traveling, it's very hard for me.
https://htmlcolor-codes.com/

添加新评论

Filtered HTML

  • 自动将网址与电子邮件地址转变为链接。
  • 允许的HTML标签:<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • 自动断行和分段。

Plain text

  • 不允许HTML标记。
  • 自动将网址与电子邮件地址转变为链接。
  • 自动断行和分段。
By submitting this form, you accept the Mollom privacy policy.